[squid-users] 3.5.8 — SSL Bump questions

James Lay jlay at slave-tothe-box.net
Tue Sep 8 20:42:57 UTC 2015


On 2015-09-08 02:32 PM, Alex Rousskov wrote:
> On 09/08/2015 02:18 PM, James Lay wrote:
> 
>> I'm currently having great success with 3.5.8 and this
>> peek/splice only method using transparent intercept:
>> 
>> ###############################
>> acl step1 at_step SslBump1
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
>> 
>> ssl_bump peek step1 all
>> ssl_bump peek step2 all
>> acl allowed_https_sites ssl::server_name_regex
>> "/opt/etc/squid/http_url.txt"
>> ssl_bump splice step3 allowed_https_sites
>> ssl_bump terminate all
>> ###############################
> 
> 
> Bugs notwithstanding, the above can be further simplified (in v3.5.8 
> and
> later):
> 
>  acl allowed_https_sites ...
>  ssl_bump peek all
>  ssl_bump splice allowed_https_sites
>  ssl_bump terminate all
> 
> 
> HTH,
> 
> Alex.

Hey thanks Alex...I will give that a test with 3.5.8.  I also recall in 
earlier builds that "ssl_bump peek all" only matched SNI, but did not 
match the cert subject, which is why I forced it with peeking at step1 
and step2.  Thanks again.

James


More information about the squid-users mailing list